Thursday, January 20, 2011

Security Onion nsm_all_del script

This blog post will demonstrate the nsm_all_del script. If you ran through Setup and configured your sensors but decide that you need to re-run Setup for some reason (perhaps you want to choose Advanced Setup to choose specific interfaces), then you need to run nsm_all_del first. nsm_all_del will delete your current sensor configuration in preparation for running Setup again.

Suppose I ran through Setup using Quick Setup which enumerated my ethernet interfaces and created Sguil sensors for eth0, eth1, and eth2.

Now suppose I want eth0 to be just a management interface with no Sguil sensor. I need to run Setup again and choose Advanced Setup to exclude eth0, but first I need to run nsm_all_del to delete the current Sguil configuration.

Once clicked, nsm_all_del displays a warning.

It then begins deleting sensors, asking for confirmation along the way.

Once nsm_all_del completes, I then run Setup again and choose Advanced Setup so that I can choose which network interfaces should have Sguil sensors.

Once Setup completes, I login to Sguil and see that I only have Sguil sensors for eth1 and eth2.

Security Onion

Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!